<?php

# 数据库配置
define("HOST","localhost");
define("USER","****");
define("PWD","*****");
define("DB","****");

# 编码
header("Content-type: text/html; charset=utf-8");

# 替换的字符串
$reg = "/\"|\'|union|benchmark|sleep|update|order|insert|into|for|mid|user\(|version|table|like|in\(|mid|ascii|substr|information_schema|by|group|exp|data|limit|file/";

# 递归替换危险字符为空
function reg_replace($reg, $strs){
    preg_match($reg, $strs, $result);
    if(count($result) == 1){
        $s = preg_replace($reg, "", $strs);
        return reg_replace($reg, $s);
    }else{
        return $strs;
    }
}

# 传入sql语句，做查询操作，返回结果集数组
function query($sql){
    mysql_connect(HOST,USER,PWD) or die('mysql connect error');
    mysql_select_db(DB);
    mysql_set_charset('utf8');

    $result = mysql_query($sql);
    if($result && mysql_affected_rows() > 0){
        while($row = mysql_fetch_assoc($result)){
            $list[] = $row;
        }
        mysql_free_result($result);
    }
    echo mysql_error();
    mysql_close();
    return @$list;
}

# 转换小写
$id = strtolower(@$_GET["id"]);

# 判断是否出现数字
if(preg_match("/\d/", $id)){
    die("waf");
}

$id = reg_replace($reg, $id);
$sql = "select username from ctf_oaa_me where id= $id";
#echo $sql;
$result = query($sql);
echo "<br>输入字符串为：$id";
echo "<br><br>你好，我是宇智波铁柱，英文名：";
if($result){
    foreach($result as $val){
        echo $val["username"];
    }
}

/*

SQL:

create table ctf_oaa_me(
id int(1) not null,
username varchar(255) not null,
flag_cksjodjanckd varchar(255) not null
);

insert into ctf_oaa_me(id,username,flag_cksjodjanckd) value(1,'YuZhiBo TieZhu','flag{efadfc0939dd1b329}');


*/

?>